我对linux内核很陌生。我想知道稀疏和覆盖工具有什么不同?因为两者都用于静态代码分析。那么如何决定哪个工具更好呢?我知道的唯一区别是:sparse 是开源的,但为了覆盖,我们应该有使用它的许可。
是否有任何特定的错误集只能通过覆盖/稀疏跟踪?
这是 Coverity 报告问题的一段代码,但 Sparse 没有:
foo(){
int x;
scanf("%d", &x);
switch(x){
case 1: printf("CASE 1");
case 2: printf("CASE 2");
break;
default:
}
}
在上面的例子中;Coverity 将报告case 1中缺少break语句的警告。但是,稀疏不是吗?
但是,这两种工具都用于软件的静态代码分析。请分享任何可以突出这两种工具的优点和缺点的文档。
Tools vary in what they detect and how well they detect them. As a general rule, it is always recommend running as many tools as possible on the source code. Granted, there are a number of considerations about doing that. First and foremost is the cost of owning and maintaining any one tool.
The big names (Fortify, Code sonar, Coverity, Klockwerk, etc) are all expensive to buy, and have a hefty yearly maintenance cost. On the upside, they all tend to preform better then the open-source tools.
Any tool, be it open-source or proprietary will require "care and feeding", in creation of custom rules, modification of what is reported etc. This should be done by, in my opinion, a dedicated senior programmer that is well versed in the theory and practice of secure programming.
The evaluation of the tool reports, also should be done by a programmer / analyst well versed in security. The take a way message here is that a proficient programmer is not necessarily a secure programmer. There are additional sets of knowledge and skills to be a secure programmer.
For a brief overview of various tools, I would suggest looking at the various SAMATE (static-analysis metrics and tool evaluation) reports located here. Although I do not believe that the SAMATE team ever evaluated "Sparse".
I know these are more generalities about the use of static analysis tools, but given the current state of the art, I suspect that these are probably the best you are going to get. Also, you can check out this State of the Art report of software assurance.